@bjorntech/alchemy-azure 0.2.0-beta.57

package/src/ContainerAppEnvironment.ts

@@ -0,0 +1,253 @@
+import type { ManagedEnvironment } from "@azure/arm-appcontainers";
+import * as Effect from "effect/Effect";
+import { Unowned } from "alchemy/AdoptPolicy";
+import { isResolved } from "alchemy/Diff";
+import { Resource } from "alchemy";
+import * as Provider from "alchemy/Provider";
+import { makeAzureClients } from "./Clients.ts";
+import { azureError, isNotFound } from "./Errors.ts";
+import { collectAzurePages, diffValueEqual, makePhysicalNames, requireLocation, resourceGroupName, resolveResourceValue, withHeartbeat } from "./Internal.ts";
+import type { Providers } from "./Providers.ts";
+import type { ResourceProviderRegistration } from "./ResourceProviderRegistration.ts";
+import type { ResourceGroup } from "./ResourceGroup.ts";
+import { hasAlchemyTags, withAlchemyTags } from "./ResourceGroup.ts";
+
+export interface ContainerAppEnvironmentProps {
+  /** Managed environment name. Defaults to a deterministic Azure-safe physical name. */
+  name?: string;
+  /** Resource group object or name containing the managed environment. */
+  resourceGroup: string | ResourceGroup;
+  /** Azure region. Defaults to the resource group's location when a ResourceGroup object is supplied. */
+  location?: string;
+  /** Log Analytics workspace customer ID for Container Apps logs. */
+  logAnalyticsCustomerId?: string;
+  /** Log Analytics shared key for Container Apps logs. */
+  logAnalyticsSharedKey?: string;
+  /** Whether the environment is zone redundant. */
+  zoneRedundant?: boolean;
+  /** Tags to apply to the managed environment. */
+  tags?: Record<string, string>;
+  /** Optional provider registration dependency, usually `Microsoft.App`. */
+  providerRegistration?: ResourceProviderRegistration;
+  /** Whether to delete the managed environment when removed from Alchemy. @default true */
+  delete?: boolean;
+}
+
+export type ContainerAppEnvironment = Resource<
+  "Azure.ContainerAppEnvironment",
+  ContainerAppEnvironmentProps,
+  {
+    name: string;
+    resourceGroupName: string;
+    location: string;
+    environmentId: string;
+    defaultDomain?: string;
+    staticIp?: string;
+    provisioningState?: string;
+    tags?: Record<string, string>;
+  },
+  never,
+  Providers
+>;
+
+/**
+ * Azure Container Apps managed environment.
+ *
+ * @example
+ * ```ts
+ * const environment = yield* Azure.ContainerAppEnvironment("Env", {
+ *   resourceGroup: group,
+ * });
+ * ```
+ */
+export const ContainerAppEnvironment = Resource<ContainerAppEnvironment>(
+  "Azure.ContainerAppEnvironment",
+);
+
+export const ContainerAppEnvironmentProvider = () =>
+  Provider.effect(
+    ContainerAppEnvironment,
+    Effect.gen(function* () {
+      const clients = yield* makeAzureClients;
+      const names = yield* makePhysicalNames;
+
+      const environmentName = (id: string, instanceId: string, name?: string) =>
+        names.physicalName(id, instanceId, name, {
+          maxLength: 32,
+          suffixLength: 6,
+          delimiter: "-",
+          lowercase: true,
+          sanitize: (value) =>
+            value
+              .replaceAll(/[^a-z0-9-]/g, "-")
+              .replaceAll(/^-+|-+$/g, "")
+              .slice(0, 32),
+        });
+
+      return ContainerAppEnvironment.Provider.of({
+        stables: ["name", "environmentId", "resourceGroupName"],
+        list: () =>
+          Effect.gen(function* () {
+            const groups = yield* Effect.tryPromise({
+              try: () => collectAzurePages(clients.resources.resourceGroups.list()),
+              catch: (cause) => azureError({ operation: "list resource groups", cause }),
+            });
+            const environments = yield* Effect.forEach(
+              groups,
+              (group) => {
+                if (!group.name) return Effect.succeed([]);
+                return Effect.tryPromise({
+                  try: () => collectAzurePages(
+                    clients.appContainers.managedEnvironments.listByResourceGroup(group.name!),
+                  ),
+                  catch: (cause) =>
+                    azureError({ operation: "list Container Apps managed environments", resource: group.name, cause }),
+                }).pipe(Effect.map((items) => items.map((item) => [group.name!, item] as const)));
+              },
+              { concurrency: 4 },
+            );
+            return environments
+              .flat()
+              .filter(([, environment]) => environment.tags?.["alchemy:logical-id"])
+              .map(([resourceGroupName, environment]) => toAttributes(environment, resourceGroupName));
+          }),
+        diff: Effect.fnUntraced(function* ({ id, instanceId, olds, news, output }) {
+          if (!isResolved(news)) return undefined;
+          if (!output) return undefined;
+          const name = environmentName(id, instanceId, news.name);
+          const groupName = yield* resourceGroupName(news.resourceGroup);
+          const location = yield* requireLocation(id, news.location, news.resourceGroup);
+          if (
+            name !== output.name ||
+            groupName !== output.resourceGroupName ||
+            location !== output.location
+          ) {
+            return { action: "replace" } as const;
+          }
+          if ((olds.zoneRedundant ?? false) !== (news.zoneRedundant ?? false)) {
+            return { action: "replace" } as const;
+          }
+          if (!diffValueEqual({
+            logAnalyticsCustomerId: olds.logAnalyticsCustomerId,
+            logAnalyticsSharedKey: olds.logAnalyticsSharedKey,
+            tags: olds.tags ?? {},
+          }, {
+            logAnalyticsCustomerId: news.logAnalyticsCustomerId,
+            logAnalyticsSharedKey: news.logAnalyticsSharedKey,
+            tags: news.tags ?? {},
+          })) {
+            return { action: "update" } as const;
+          }
+          return undefined;
+        }),
+        read: Effect.fnUntraced(function* ({ id, instanceId, olds, output }) {
+          const groupName =
+            output?.resourceGroupName ??
+            (olds ? yield* resourceGroupName(olds.resourceGroup) : undefined);
+          if (!groupName) return undefined;
+          const name = output?.name ?? environmentName(id, instanceId, olds?.name);
+          const environment = yield* Effect.tryPromise({
+            try: () => clients.appContainers.managedEnvironments.get(groupName, name),
+            catch: (cause) => azureError({ operation: "read Container Apps managed environment", resource: name, cause }),
+          }).pipe(Effect.catchIf(isNotFound, () => Effect.succeed(undefined)));
+          if (!environment) return undefined;
+          const attrs = toAttributes(environment, groupName);
+          return hasAlchemyTags(id, environment.tags) ? attrs : Unowned(attrs);
+        }),
+        reconcile: Effect.fnUntraced(function* ({ id, instanceId, olds, news, output }) {
+          const name = environmentName(id, instanceId, news.name);
+          validateEnvironmentName(name);
+          if (news.providerRegistration) {
+            yield* resolveResourceValue(news.providerRegistration.namespace);
+          }
+          const groupName = yield* resourceGroupName(news.resourceGroup);
+          const location = yield* requireLocation(id, news.location, news.resourceGroup);
+          if (output && olds) {
+            const existing = yield* Effect.tryPromise({
+              try: () => clients.appContainers.managedEnvironments.get(groupName, name),
+              catch: (cause) =>
+                azureError({
+                  operation: "read Container Apps managed environment before update",
+                  resource: name,
+                  cause,
+                }),
+            }).pipe(Effect.catchIf(isNotFound, () => Effect.succeed(undefined)));
+            if (existing && hasAlchemyTags(id, output.tags) && !hasAlchemyTags(id, existing.tags)) {
+              throw new Error(`Cannot adopt resource "${name}" without --adopt.`);
+            }
+          }
+          const environment = yield* Effect.tryPromise({
+            try: () =>
+              clients.appContainers.managedEnvironments.beginCreateOrUpdateAndWait(
+                groupName,
+                name,
+                {
+                  location,
+                  zoneRedundant: news.zoneRedundant ?? false,
+                  tags: withAlchemyTags(id, news.tags),
+                  appLogsConfiguration:
+                    news.logAnalyticsCustomerId && news.logAnalyticsSharedKey
+                      ? {
+                          destination: "log-analytics",
+                          logAnalyticsConfiguration: {
+                            customerId: news.logAnalyticsCustomerId,
+                            sharedKey: news.logAnalyticsSharedKey,
+                          },
+                        }
+                      : undefined,
+                },
+              ),
+            catch: (cause) =>
+              azureError({
+                operation: "reconcile Container Apps managed environment",
+                resource: name,
+                cause,
+              }),
+          }).pipe(withHeartbeat(`Container Apps managed environment "${name}"`));
+          return toAttributes(environment, groupName);
+        }),
+        delete: Effect.fnUntraced(function* ({ olds, output, session }) {
+          if (olds.delete === false) return;
+          yield* session.note(`Deleting Azure Container Apps managed environment: ${output.name}`);
+          yield* Effect.tryPromise({
+            try: () => clients.appContainers.managedEnvironments.beginDeleteAndWait(
+              output.resourceGroupName,
+              output.name,
+            ),
+            catch: (cause) =>
+              azureError({ operation: "delete Container Apps managed environment", resource: output.name, cause }),
+          }).pipe(
+            withHeartbeat(`deleting Container Apps managed environment "${output.name}"`),
+            Effect.catchIf(isNotFound, () => Effect.void),
+          );
+        }),
+      });
+    }),
+  );
+
+function toAttributes(
+  environment: ManagedEnvironment,
+  resourceGroupName: string,
+): ContainerAppEnvironment["Attributes"] {
+  if (!environment.name || !environment.id || !environment.location) {
+    throw new Error("Azure returned an incomplete Container Apps managed environment response");
+  }
+  return {
+    name: environment.name,
+    resourceGroupName,
+    location: environment.location,
+    environmentId: environment.id,
+    defaultDomain: environment.defaultDomain,
+    staticIp: environment.staticIp,
+    provisioningState: environment.provisioningState,
+    tags: environment.tags,
+  };
+}
+
+function validateEnvironmentName(name: string) {
+  if (!/^[a-z][a-z0-9-]{0,30}[a-z0-9]$/.test(name)) {
+    throw new Error(
+      `Azure Container Apps managed environment name "${name}" is invalid. It must be 2-32 characters, start with a lowercase letter, end with a lowercase letter or number, and contain only lowercase letters, numbers, and hyphens.`,
+    );
+  }
+}

package/src/ContainerImage.ts

@@ -0,0 +1,181 @@
+import { spawn } from "node:child_process";
+import * as Effect from "effect/Effect";
+import * as Redacted from "effect/Redacted";
+import { isResolved } from "alchemy/Diff";
+import { Resource } from "alchemy";
+import * as Provider from "alchemy/Provider";
+import { resolveResourceValue } from "./Internal.ts";
+import type { ContainerRegistry } from "./ContainerRegistry.ts";
+import type { Providers } from "./Providers.ts";
+
+export interface ContainerImageProps {
+  /** Azure Container Registry object or login server. */
+  registry: string | ContainerRegistry;
+  /** Repository name inside the registry. Defaults to the logical id lowercased. */
+  repository?: string;
+  /** Image tag. @default buildHash ?? "latest" */
+  tag?: string;
+  /** Docker build context path. @default "." */
+  context?: string;
+  /** Dockerfile path, relative to context or absolute. */
+  dockerfile?: string;
+  /** Build hash from an external build step. Changing this rebuilds and pushes. */
+  buildHash?: string;
+  /** Docker build arguments. */
+  buildArgs?: Record<string, string>;
+  /** Docker platform. Defaults to `linux/amd64` because Azure Container Apps requires an amd64 image. */
+  platform?: string;
+  /** Do not use Docker build cache. */
+  noCache?: boolean;
+  /** Registry username. Defaults to registry.username when a ContainerRegistry is supplied. */
+  username?: string;
+  /** Registry password. Defaults to registry.password when a ContainerRegistry is supplied. */
+  password?: string | Redacted.Redacted<string>;
+}
+
+export type ContainerImage = Resource<
+  "Azure.ContainerImage",
+  ContainerImageProps,
+  {
+    image: string;
+    loginServer: string;
+    repository: string;
+    tag: string;
+    buildHash?: string;
+  },
+  never,
+  Providers
+>;
+
+/**
+ * Builds a local Docker context and pushes it to Azure Container Registry.
+ *
+ * @example
+ * ```ts
+ * const image = yield* Azure.ContainerImage("Image", {
+ *   registry,
+ *   context: ".",
+ *   buildHash: build.hash,
+ * });
+ * ```
+ */
+export const ContainerImage = Resource<ContainerImage>("Azure.ContainerImage");
+
+export const ContainerImageProvider = () =>
+  Provider.effect(
+    ContainerImage,
+    Effect.gen(function* () {
+      return ContainerImage.Provider.of({
+        stables: ["image", "loginServer", "repository", "tag"],
+        list: () => Effect.succeed([]),
+        diff: Effect.fnUntraced(function* ({ id, news, output }) {
+          if (!isResolved(news)) return undefined;
+          if (!output) return undefined;
+          const desired = yield* desiredImage(id, news);
+          if (desired.image !== output.image || desired.buildHash !== output.buildHash) {
+            return { action: "update" } as const;
+          }
+          return undefined;
+        }),
+        read: Effect.fnUntraced(function* ({ output }) {
+          return output;
+        }),
+        reconcile: Effect.fnUntraced(function* ({ id, news, session }) {
+          const desired = yield* desiredImage(id, news);
+          const credentials = yield* registryCredentials(news);
+          if (credentials.username && credentials.password) {
+            yield* session.note(`Logging in to Azure Container Registry: ${desired.loginServer}`);
+            yield* run(
+              "docker",
+              [
+                "login",
+                desired.loginServer,
+                "--username",
+                credentials.username,
+                "--password-stdin",
+              ],
+              Redacted.value(credentials.password),
+            );
+          }
+          yield* session.note(`Building container image: ${desired.image}`);
+          yield* run("docker", dockerBuildArgs(news, desired.image));
+          yield* session.note(`Pushing container image: ${desired.image}`);
+          yield* run("docker", ["push", desired.image]);
+          return desired;
+        }),
+        delete: Effect.fnUntraced(function* () {
+          // Images are immutable build artifacts in ACR; deleting tags here would be surprising.
+        }),
+      });
+    }),
+  );
+
+function desiredImage(id: string, props: ContainerImageProps) {
+  return Effect.gen(function* () {
+    const loginServer = yield* registryLoginServer(props.registry);
+    const repository = props.repository ?? id.toLowerCase().replaceAll(/[^a-z0-9._/-]/g, "-");
+    const tag = props.tag ?? props.buildHash?.slice(0, 40) ?? "latest";
+    return {
+      image: `${loginServer}/${repository}:${tag}`,
+      loginServer,
+      repository,
+      tag,
+      buildHash: props.buildHash,
+    } satisfies ContainerImage["Attributes"];
+  });
+}
+
+function registryLoginServer(registry: string | ContainerRegistry) {
+  return Effect.gen(function* () {
+    if (typeof registry === "string") return registry;
+    return yield* resolveResourceValue(registry.loginServer);
+  });
+}
+
+function registryCredentials(props: ContainerImageProps) {
+  return Effect.gen(function* () {
+    if (props.username && props.password) {
+      return {
+        username: props.username,
+        password:
+          typeof props.password === "string" ? Redacted.make(props.password) : props.password,
+      };
+    }
+    if (typeof props.registry === "string") return {};
+    const username = yield* resolveResourceValue(props.registry.username);
+    const password = yield* resolveResourceValue(props.registry.password);
+    return { username, password };
+  });
+}
+
+function dockerBuildArgs(props: ContainerImageProps, image: string) {
+  const args = ["build", props.context ?? ".", "--tag", image];
+  if (props.dockerfile) args.push("--file", props.dockerfile);
+  args.push("--platform", props.platform ?? "linux/amd64");
+  if (props.noCache) args.push("--no-cache");
+  for (const [key, value] of Object.entries(props.buildArgs ?? {})) {
+    args.push("--build-arg", `${key}=${value}`);
+  }
+  return args;
+}
+
+function run(command: string, args: string[], stdin?: string) {
+  return Effect.tryPromise({
+    try: () =>
+      new Promise<void>((resolve, reject) => {
+        const child = spawn(command, args, {
+          stdio: [stdin ? "pipe" : "ignore", "inherit", "inherit"],
+        });
+        child.on("error", reject);
+        child.on("close", (code) => {
+          if (code === 0) resolve();
+          else reject(new Error(`${command} ${args.join(" ")} exited with code ${code}`));
+        });
+        if (stdin && child.stdin) {
+          child.stdin.write(stdin);
+          child.stdin.end();
+        }
+      }),
+    catch: (cause) => new Error(`Failed to run ${command} ${args.join(" ")}`, { cause }),
+  });
+}

package/src/ContainerRegistry.ts

@@ -0,0 +1,232 @@
+import type { Registry } from "@azure/arm-containerregistry";
+import * as Effect from "effect/Effect";
+import * as Redacted from "effect/Redacted";
+import { Unowned } from "alchemy/AdoptPolicy";
+import { isResolved } from "alchemy/Diff";
+import { Resource } from "alchemy";
+import * as Provider from "alchemy/Provider";
+import { makeAzureClients } from "./Clients.ts";
+import { azureError, isNotFound } from "./Errors.ts";
+import { collectAzurePages, diffValueEqual, makePhysicalNames, requireLocation, resourceGroupName } from "./Internal.ts";
+import type { Providers } from "./Providers.ts";
+import type { ResourceGroup } from "./ResourceGroup.ts";
+import { hasAlchemyTags, withAlchemyTags } from "./ResourceGroup.ts";
+
+export interface ContainerRegistryProps {
+  /** Registry name. Must be globally unique, 5-50 alphanumeric characters. */
+  name?: string;
+  /** Resource group object or name containing the registry. */
+  resourceGroup: string | ResourceGroup;
+  /** Azure region. Defaults to the resource group's location when a ResourceGroup object is supplied. */
+  location?: string;
+  /** Container Registry SKU. @default "Basic" */
+  sku?: "Basic" | "Standard" | "Premium";
+  /** Enable admin credentials so Docker can push images. @default true */
+  adminUserEnabled?: boolean;
+  /** Tags to apply to the registry. */
+  tags?: Record<string, string>;
+  /** Whether to delete the registry when removed from Alchemy. @default true */
+  delete?: boolean;
+}
+
+export type ContainerRegistry = Resource<
+  "Azure.ContainerRegistry",
+  ContainerRegistryProps,
+  {
+    name: string;
+    resourceGroupName: string;
+    location: string;
+    registryId: string;
+    loginServer: string;
+    username?: string;
+    password?: Redacted.Redacted<string>;
+    sku: string;
+    provisioningState?: string;
+    tags?: Record<string, string>;
+  },
+  never,
+  Providers
+>;
+
+/**
+ * Azure Container Registry for storing container images.
+ *
+ * @example
+ * ```ts
+ * const registry = yield* Azure.ContainerRegistry("Registry", {
+ *   resourceGroup: group,
+ * });
+ * ```
+ */
+export const ContainerRegistry = Resource<ContainerRegistry>("Azure.ContainerRegistry");
+
+export const ContainerRegistryProvider = () =>
+  Provider.effect(
+    ContainerRegistry,
+    Effect.gen(function* () {
+      const clients = yield* makeAzureClients;
+      const names = yield* makePhysicalNames;
+
+      const registryName = (id: string, instanceId: string, name?: string) =>
+        names.physicalName(id, instanceId, name, {
+          maxLength: 50,
+          suffixLength: 8,
+          delimiter: "",
+          lowercase: true,
+          sanitize: (value) => value.replaceAll(/[^a-z0-9]/g, "").slice(0, 50),
+        });
+
+      return ContainerRegistry.Provider.of({
+        stables: ["name", "registryId", "resourceGroupName", "loginServer"],
+        list: () =>
+          Effect.gen(function* () {
+            const groups = yield* Effect.tryPromise({
+              try: () => collectAzurePages(clients.resources.resourceGroups.list()),
+              catch: (cause) => azureError({ operation: "list resource groups", cause }),
+            });
+            const registries = yield* Effect.forEach(
+              groups,
+              (group) => {
+                if (!group.name) return Effect.succeed([]);
+                return Effect.tryPromise({
+                  try: () => collectAzurePages(clients.containerRegistry.registries.listByResourceGroup(group.name!)),
+                  catch: (cause) =>
+                    azureError({ operation: "list Container Registries", resource: group.name, cause }),
+                }).pipe(Effect.map((items) => items.map((item) => [group.name!, item] as const)));
+              },
+              { concurrency: 4 },
+            );
+            return yield* Effect.forEach(
+              registries.flat(),
+              ([resourceGroupName, registry]) =>
+                registry.tags?.["alchemy:logical-id"]
+                  ? toAttributes(registry, resourceGroupName)
+                  : Effect.succeed(undefined),
+              { concurrency: 4 },
+            ).pipe(Effect.map((items) => items.filter((item) => item !== undefined)));
+          }),
+        diff: Effect.fnUntraced(function* ({ id, instanceId, olds, news, output }) {
+          if (!isResolved(news)) return undefined;
+          if (!output) return undefined;
+          const name = registryName(id, instanceId, news.name);
+          const groupName = yield* resourceGroupName(news.resourceGroup);
+          const location = yield* requireLocation(id, news.location, news.resourceGroup);
+          if (
+            name !== output.name ||
+            groupName !== output.resourceGroupName ||
+            location !== output.location
+          ) {
+            return { action: "replace" } as const;
+          }
+          if (!diffValueEqual({
+            sku: olds.sku ?? "Basic",
+            adminUserEnabled: olds.adminUserEnabled ?? true,
+            tags: olds.tags ?? {},
+          }, {
+            sku: news.sku ?? "Basic",
+            adminUserEnabled: news.adminUserEnabled ?? true,
+            tags: news.tags ?? {},
+          })) {
+            return { action: "update" } as const;
+          }
+          return undefined;
+        }),
+        read: Effect.fnUntraced(function* ({ id, instanceId, olds, output }) {
+          const groupName =
+            output?.resourceGroupName ??
+            (olds ? yield* resourceGroupName(olds.resourceGroup) : undefined);
+          if (!groupName) return undefined;
+          const name = output?.name ?? registryName(id, instanceId, olds?.name);
+          const registry = yield* Effect.tryPromise({
+            try: () => clients.containerRegistry.registries.get(groupName, name),
+            catch: (cause) => azureError({ operation: "read Container Registry", resource: name, cause }),
+          }).pipe(Effect.catchIf(isNotFound, () => Effect.succeed(undefined)));
+          if (!registry) return undefined;
+          const attrs = yield* toAttributes(registry, groupName);
+          return hasAlchemyTags(id, registry.tags) ? attrs : Unowned(attrs);
+        }),
+        reconcile: Effect.fnUntraced(function* ({ id, instanceId, olds, news, output }) {
+          const name = registryName(id, instanceId, news.name);
+          validateRegistryName(name);
+          const groupName = yield* resourceGroupName(news.resourceGroup);
+          const location = yield* requireLocation(id, news.location, news.resourceGroup);
+          if (output && olds) {
+            const existing = yield* Effect.tryPromise({
+              try: () => clients.containerRegistry.registries.get(groupName, name),
+              catch: (cause) =>
+                azureError({ operation: "read Container Registry before update", resource: name, cause }),
+            }).pipe(Effect.catchIf(isNotFound, () => Effect.succeed(undefined)));
+            if (existing && hasAlchemyTags(id, output.tags) && !hasAlchemyTags(id, existing.tags)) {
+              throw new Error(`Cannot adopt resource "${name}" without --adopt.`);
+            }
+          }
+          const registry = yield* Effect.tryPromise({
+            try: () =>
+              clients.containerRegistry.registries.beginCreateAndWait(groupName, name, {
+                location,
+                sku: { name: news.sku ?? "Basic" },
+                adminUserEnabled: news.adminUserEnabled ?? true,
+                tags: withAlchemyTags(id, news.tags),
+              }),
+            catch: (cause) =>
+              azureError({
+                operation: "reconcile Container Registry",
+                resource: name,
+                cause,
+              }),
+          });
+          return yield* toAttributes(registry, groupName);
+        }),
+        delete: Effect.fnUntraced(function* ({ olds, output, session }) {
+          if (olds.delete === false) return;
+          yield* session.note(`Deleting Azure Container Registry: ${output.name}`);
+          yield* Effect.tryPromise({
+            try: () => clients.containerRegistry.registries.beginDeleteAndWait(
+              output.resourceGroupName,
+              output.name,
+            ),
+            catch: (cause) => azureError({ operation: "delete Container Registry", resource: output.name, cause }),
+          }).pipe(Effect.catchIf(isNotFound, () => Effect.void));
+        }),
+      });
+
+      function toAttributes(registry: Registry, resourceGroupName: string) {
+        return Effect.gen(function* () {
+          if (!registry.name || !registry.id || !registry.location || !registry.loginServer) {
+            throw new Error("Azure returned an incomplete Container Registry response");
+          }
+          const credentials = registry.adminUserEnabled
+            ? yield* Effect.tryPromise({
+                try: () => clients.containerRegistry.registries.listCredentials(
+                  resourceGroupName,
+                  registry.name!,
+                ),
+                catch: (cause) =>
+                  azureError({ operation: "list Container Registry credentials", resource: registry.name, cause }),
+              }).pipe(Effect.catch(() => Effect.succeed(undefined)))
+            : undefined;
+          const password = credentials?.passwords?.find((item) => item.name === "password")?.value;
+          return {
+            name: registry.name,
+            resourceGroupName,
+            location: registry.location,
+            registryId: registry.id,
+            loginServer: registry.loginServer,
+            username: credentials?.username,
+            password: password ? Redacted.make(password) : undefined,
+            sku: registry.sku.name,
+            provisioningState: registry.provisioningState,
+            tags: registry.tags,
+          } satisfies ContainerRegistry["Attributes"];
+        });
+      }
+    }),
+  );
+
+function validateRegistryName(name: string) {
+  if (!/^[a-z0-9]{5,50}$/.test(name)) {
+    throw new Error(
+      `Azure Container Registry name "${name}" is invalid. It must be 5-50 lowercase letters or numbers.`,
+    );
+  }
+}